A Conduit For Attack
What every retailer should know about managing patches and updates
- By Hedgie Bartol
- Jun 01, 2016
In the days of analog DVR-based surveillance systems, the biggest worries
retailers faced were equipment failure and theft of the recording medium.
As closed systems, their problems remained contained within those systems.
But in today’s surveillance landscape, where an ever-greater number of IPbased
cameras ride on the corporate network, retailers need to understand
their video security system’s vulnerabilities in a whole new light.
Specifically, any under-protected, network-connected device presents a potentially
exploitable entry point for attacking every system and any data on the
network, from point-of-sale transactions and credit card processing to strategic
business plans and company financials. With today’s PCI requirements pushing
physical and cyber security closer together, addressing this topic becomes
paramount.
TAKE A LESSON FROM YOUR IT COUNTERPARTS
When it comes to network security, IP-based cameras are relatively new kids on the
block. But the guiding principles for securing those devices are the same as IT uses
for any device sharing their network. So it makes sense for Loss Prevention and Asset
Protection Departments to reach across the organization to their IT counterparts
for expertise and guidance in protecting their surveillance technology.
So, what are some of the best practices LP and AP can apply to their video systems?
Change factory default log-in credentials. This is a common oversight that needs
to be addressed before the device goes live. Back in the days of analog, if the DVR
had password protection it was generally the default one and couldn’t be changed
or updated. However, with IP systems password control is in the hands of the
end user. When changing the default log-in, make sure that users create strong
passwords that are at least eight characters in length that incorporate a mix of
uppercase and lowercase letters, numbers and symbols. To maintain security, users
should change their passwords with some frequency.
Create a least-privilege access hierarchy. Also during the analog days, rights
and privileges were generally global in scope. If you had access to the system, you
had access to the entire system. IP systems give you much more granular control.
When creating user accounts be sure to grant only those privileges that are essential
to a user’s daily job performance and nothing more. If you let users access
your company’s network video recorders and IP cameras using an admin’s root
credentials, those credentials risk compromise and then hackers can gain wholesale
access to the entire network.
Be diligent about configuration and patch management. Being a closed system,
analog technology was inherently difficult for IT departments to update and manage.
But the open standards used by today’s IP systems allow them to evolve over
time. This puts the onus on companies be sure their operation keeps pace with the changing threat landscape. Failing
to update years-old firmware can leave
your surveillance system exposed to
many known virus and malware and
give hackers an open door to the network
through your camera.
Track attempted hacks and breaches.
The best way to shore up defenses
against future attacks is to understand
what’s happening on the network today.
This is where the partnership with IT
becomes paramount. IT usually owns
the network monitoring technology
and possesses the log analysis skills to
identify unauthorized access attempts
and breaches. They can help pinpoint
the exploitable weaknesses in your surveillance
technology and devise strategies
for hardening your devices.
THE PENALTY FOR
LAX SECURITY PRACTICES
Because of their high-capacity processing
power many IP cameras are
delivering added value beyond traditional
security. With the ability to
run onboard analytics such as people
counting, traffic patterns, dwell time,
line queuing and more, they’re able to
provide retailers with vital business intelligence
to improve marketing, merchandising,
and operations. But those
added apps present yet another layer
of potential vulnerability that must be
tightly managed.
The lack of cybersecurity awareness
coupled with careless security precautions
(such as haphazard application of
updates and patches) invariably opens
the door for malware infection and exploitation.
Denial of service. One of the more
common attacks is denial of service.
Whether through an intentional internal
act, a mistaken download of particular
software, or an external attack, the
malware purposefully increases communication
on the network, eventually
clogging the network by repeatedly
flooding it with tens of thousands of
requests per second. Once the network
is clogged, retailers can no longer conduct
business—including POS transactions,
credit card verification and other
mission critical activity.
Port hijacking. Oftentimes hijackers
will troll for open, unsecured ports
that they can commandeer to gain access
to the network or they gain physical
access to your network by grabbing
the network cable from an outdoor
camera and plugging into their laptop.
Once inside your system they can do
unlimited damage.
Brute-force dictionary attacks.
This attack’s name comes from the
way hackers try to penetrate the system:
trying as many permutations and
combinations as there are words in a
dictionary. When faced with a log-in
credential request—a decryption key
or passphrase—sophisticated hackers try hundreds or even millions of likely
possibilities to defeat the authentication
mechanism. Once this line of defense
is breached they can penetrate
any part of the system that credential
is authorized to access.
OUTSMARTING MALICIOUS
ATTACKERS
In addition to the lessons from IT, industry
specialists recommend a number of
other steps you can take to secure your
surveillance devices and your network.
- When using your smart devices implement
security principles such as
input validation, bounds checking,
access control and authentication.
- Encrypting communications is
good, but if the keys are readily
available then all they do is delay an
attacker rather than stop him. Keys
should be guarded as closely as possible
and not recorded in logs. They
should also be protected against resetting
by an untrusted party.
- If encryption is used on an interface
then the secret information
contained within should not then
be decrypted and passed on via an
unencrypted interface as it defeats
the purpose of encryption. Encryption/
decryption should be used as
quickly and discretely as possible
then cleared from memory.
- Firmware should be signed and
encrypted to prevent bad firmware
uploads or tampering. Failure to do
this not only carries security risks
but business risks as well since smart
devices like cameras rely on their
firmware to protect their customers.
Open source firmware—such as
Jail Break which allows the device
to download free software—opens
that device to future attacks because
developers rarely issue updates to repair
security gaps.
IS IT ALL DOOM AND GLOOM?
Cybersecurity for surveillance systems
certainly grows more challenging every
year. As a retailer, your environment often
stretches across a wide geographic
area and includes a host of network
attached devices. Managing cybersecurity
on such a large scale might seem
quite daunting, but consider looking
to your own IT department for guidance
and partnership. Employing the
same common sense security policies
and practices that they already have in
place will help you mitigate your risks.
It will also give your enterprise a much
more cohesive and holistic approach to
loss prevention, operations, strategic
merchandising and overall cyber protection.
In turn, that will help you safeguard
your assets, your bottom line and
your brand.
This article originally appeared in the June 2016 issue of Security Today.